From: Remi Gacogne <rgacogne-github@coredump.fr>
Date: Fri, 20 Nov 2015 11:16:16 +0000 (+0100)
Subject: Check that offset < len in DNSName::packetParser.
X-Git-Tag: dnsdist-1.0.0-alpha1~210^2~8^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2916%2Fhead;p=thirdparty%2Fpdns.git

Check that offset < len in DNSName::packetParser.

If DNSName::packetParser() is called with offset >= len,
we do pos = qpos + offset, then labellen=*pos++ before
checking that pos is not after qpos + len, leading to
a potential out-of-bound read.
---

diff --git a/pdns/dnsname.cc b/pdns/dnsname.cc
index 7f7976e91e..c69270db98 100644
--- a/pdns/dnsname.cc
+++ b/pdns/dnsname.cc
@@ -41,6 +41,10 @@ void DNSName::packetParser(const char* qpos, int len, int offset, bool uncompres
   const unsigned char* pos=(const unsigned char*)qpos;
   unsigned char labellen;
   const unsigned char *opos = pos;
+
+  if (offset >= len)
+    throw std::range_error("Trying to read past the end of the buffer");
+
   pos += offset;
   const unsigned char* end = pos + len;
   while((labellen=*pos++) && pos < end) { // "scan and copy"